IBM QRadar User Behavior Analytics

Frequently asked questions

Get answers to the most commonly asked questions about this product.

FAQ

Getting started with this product

Are there prerequisites to installing UBA?

Yes. If running on a QRadar console, the UBA app requires a minimum of 64 GB or up to 128 GB of memory. Additionally, consider the deployment of an App Host to get full benefits of running the UBA app with the machine learning app enabled.

How do I get my organization's data into UBA?

UBA integrates directly into the QRadar Security Analytics solution, leveraging the existing QRadar user interface and database. All enterprise-wide security data can remain in one central location, and analysts can tune rules, generate reports and connect data without having to learn a new system.

Does UBA integrate with my other tools?

Since UBA shares the same underlying database as QRadar, any data source that is ingested in QRadar can be surfaced and leveraged for UBA including IAM,

What is the UBA architecture?

UBA is packaged as a collection of 3 apps, 1 LDAP app that helps ingest and coalesce users' identity information, 1 UBA app that helps visualize data and analytics and 1 ML app that provides a livbrary of machine learning algorithms used to create behavioral models of users' activities.

What is anomaly detection?

Anomaly detection is a technique used to identify unusual patterns that do not conform to expected behavior and differ significantly from the majority of the data.

What is a risk score?

A risk score is the numeric measure of the potential harmfulness of a user's acvitivity. Each anomalous behavior that is detected by UBA is impacts an individual user's risk score.

How long does it take for the Machine Learning (ML) models to train?

Machine Learning algorithms ingest the past 4 weeks of data from the shared QRadar database and typically takes anywhere from 3 to 24 hours to build the models of normal behavior.

Does UBA use IBM Watson?

While UBA does not directly leverage the Watson for Cybersecurity APIs, it can leverage insights from integration with QRadar Advisor with Watson to automate the investigation of a user's activity.

Can UBA be deployed in QRadar on Cloud?

The User Behavior Analytics app can be deployed in on-premise QRadar, in QRadar on Cloud, or in any IaaS or hybrid deployments.

Pricing

How much does the User Behavior Analytics app cost?

The User Behavior Analytics app is offered to QRadar clients at no additional cost.

Will I need to upgrade my QRadar deployment to use UBA?

Clients will not need to upgrade their QRadar deployments as long as it meets minimum system requirements.

Support

Is UBA officially supported by IBM?

Where can I go for help with UBA?

IBM Support has dedicated resources who can help with high priority issues. The UBA app includes a Help and Support section for using the UBA app, LDAP app, and Machine Learning Analytics app

Security

How does IBM secure the user information in UBA?

As with all QRadar applications and modules, the data is encrypted at rest.

Other common questions

What is an insider threat?

Insider threat is a term for a threat to an organization's security or data that comes from within. Insider threats are usually attributed to employees or former employees, but may also arise from third parties, including contractors, customers or people with compromised credentials

What is machine learning (ML)?

Machine learning is a subset of artificial intelligence that provides systems the ability to automatically learn and improve from experience without being explicitly programmed.

How can machine learning be applied to user behavior?

Machine Learning algorithms can be levereged to learn the patterns of a user's behavior based on their normal activities over the past; and when it detects any deviation from the normal it is classified and marked as anomalous behavior.

What are the top use cases for user behavior analytics?

Some top use cases for UBA include users turning malicious, deviating from normal roles or peer group activity, data exfiltration, and compromised credentials

Why should you use UBA with a SIEM?

UBA gives a lense to analyze all the events, logs and flows generated by employee activities from each individual employee, thereby giving the security analysts a view into any malicious or suspicious activity that any individual may be engaging in.

Where can I learn how to use UBA in my environment?

Complimentary courses are available on the Security Learning Academy and include learning paths for both QRadar admins and analysts.

Where can I try a hands-on lab demo of UBA?

A guided lab environment is available on the IBM Security Learning Academy, which demonstrates how UBA can help analysts detect malicious user behavior. The lab also walks through the investigation process and demonstrates the integration with QRadar Advisor with Watson.